diff --git a/src/middlewared/middlewared/plugins/crypto_/certificates.py b/src/middlewared/middlewared/plugins/crypto_/certificates.py index 9e13f7b71d7e9..5df063caddbbd 100644 --- a/src/middlewared/middlewared/plugins/crypto_/certificates.py +++ b/src/middlewared/middlewared/plugins/crypto_/certificates.py @@ -301,7 +301,10 @@ async def do_create(self, job, data): for key in ('key_length', 'key_type', 'ec_curve'): data.pop(key, None) + add_to_trusted_store = data.pop('add_to_trusted_store', False) verrors = await self.validate_common_attributes(data, 'certificate_create') + if add_to_trusted_store and create_type in ('CERTIFICATE_CREATE_IMPORTED_CSR', 'CERTIFICATE_CREATE_CSR'): + verrors.add('certificate_create.add_to_trusted_store', 'Cannot add CSR to trusted store') if create_type == 'CERTIFICATE_CREATE_IMPORTED' and not load_certificate(data['certificate']): verrors.add('certificate_create.certificate', 'Unable to parse certificate') @@ -333,6 +336,7 @@ async def do_create(self, job, data): 'domains_authenticators', 'renew_days', 'add_to_trusted_store', ] } + data['add_to_trusted_store'] = add_to_trusted_store pk = await self.middleware.call( 'datastore.insert', diff --git a/tests/api2/test_certs.py b/tests/api2/test_certs.py index 9388b8ed3ef17..a7bbd622ef781 100644 --- a/tests/api2/test_certs.py +++ b/tests/api2/test_certs.py @@ -1,16 +1,13 @@ +import os.path +import textwrap + import pytest -from truenas_api_client import ValidationErrors from middlewared.test.integration.assets.crypto import ( certificate_signing_request, get_cert_params, intermediate_certificate_authority, root_certificate_authority ) from middlewared.test.integration.utils import call - -import sys -import textwrap -import os -apifolder = os.getcwd() -sys.path.append(apifolder) +from truenas_api_client import ValidationErrors # We would like to test the following cases @@ -199,6 +196,31 @@ def test_cert_issuer_reported_correctly(): call('certificate.delete', cert['id'], job=True) +@pytest.mark.parametrize('add_to_trusted_store_enabled', [ + True, + False, +]) +def test_cert_add_to_trusted_store(add_to_trusted_store_enabled): + with intermediate_certificate_authority('root_ca', 'intermediate_ca') as (root_ca, intermediate_ca): + cert = call('certificate.create', { + 'name': 'cert_trusted_store_test', + 'signedby': intermediate_ca['id'], + 'create_type': 'CERTIFICATE_CREATE_INTERNAL', + 'add_to_trusted_store': add_to_trusted_store_enabled, + **get_cert_params(), + }, job=True) + try: + assert cert['add_to_trusted_store'] == add_to_trusted_store_enabled + args = ['filesystem.stat', os.path.join('/var/local/ca-certificates', f'cert_{cert["name"]}.crt')] + if add_to_trusted_store_enabled: + assert call(*args) + else: + with pytest.raises(Exception): + call(*args) + finally: + call('certificate.delete', cert['id'], job=True) + + def test_creating_csr(): with certificate_signing_request('csr_test') as csr: assert csr['cert_type_CSR'] is True, csr